WILSON ELSER 

WILSON ELSER MOSKO WITZ EDEIMAN A DICKER LLP 


October 8, 2018 Gregory J. Bautista 

914.872.7839 (direct) 
Gre gory .Bauti sta@ wi Iso n el ser.c om 


Acting Attorney General Barbara Underwood 
New York State Attorney General's Office 

Security Breach Notification 
Internet Bureau 
120 Broadway - 3rd Floor 
New York, New York 10271 
breach.security@ag.ny.gov 

New York State Division of State Police 

Security Breach Notification 
New York State Intelligence Center 
630 Columbia Street Ext 
Latham, New York 12110 
risk@nysic.ny.gov 

New York State Department of State 
Division of Consumer Protection 

Attn: Director of the Division of Consumer Protection 

Security Breach Notification 

99 Washington Avenue, Suite 650 

Albany, New York 12231 

s e c uri ty_b rea c h_no ti f ic a ti o n @ do s. ny. g o v 

Re: Data Security Incident 


Dear Acting Attorney General Underwood: 

We represent McGlinchey Stafford, PLLC with respect to an incident involving the potential exposure of 
certain personal information described in detail below. 

1* Nature of the possible security breach or unauthorized use or access 

On September 7, 2018, McGlinchey Stafford, PLLC discovered that individuals' personal information may 
have been obtained by an unauthorized third party as the result of a phishing attack. After learning that 
spam emails were sent from an employee’s email account to other employees in the firm, McGlinchey 
Stafford, PLLC immediately engaged computer experts to determine whether information in the account 
was at risk. The investigation determined that an unknown, unauthorized third party gained access to the 
employee’s account, and could have viewed documents that contained individuals’ names and Social 
Security numbers. 
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2. Number of New York residents potentially affected 

Approximately six (6) New York residents were affected in this potential incident. McGlinchey Stafford, 
PLLC sent the potentially impacted individuals a letter notifying them of this incident on October 8, 2018. 
A copy of the notification sent to the potentially impacted individuals is included with this letter, which 
informs these New York residents about the 12 months of credit monitoring and identity theft protection 
services that is being offered to them. 

3. Steps McGlinchey Stafford, PLLC has taken or plans to take relating to the potential incident 

McGlinchey Stafford, PLLC has taken steps to prevent a similar event from occurring in the future, 
including reviewing and revising their information security policies and resetting employee's access 
credentials to ensure their systems are secure, 

4. Other notification and contact information 

If you have any additional questions, please contact me at Gregory.Bautista@wilsonelser.com or 
(914) 872-7839. 


Very truly yours, 
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C/O ID Experts 

10300 SW Greenburg Rd. Suite 570 
Portland, OR 97223 


[First Name] [Last Name] 
[Address 1] [Address 2] 
«City», «Siate» «Zip» 


To Enroll, Please Call: 
800-939-4170 
Or Visit: 

https://app.mvidcare.com/account- 

creation/protect 

Enrollment Code: 
«XXXXXXXX» 


10/8/2018 


Dear [First Name] [Last Name]: 

We are writing to inform you of an incident that may have resulted in the disclosure of your name and Social Security 
number. As a current or former employee of McGlinchey Stafford PLLC, we take the security of your information very 
seriously and sincerely apologize for any inconvenience this incident may cause. 

On September 7, 2018, we discovered that personal information in an employee’s email account may have been accessed 
by an unauthorized third party as the result of a phishing attack. After learning that employees of the firm had received 
spam emails, we immediately engaged computer experts to determine whether information in the employee’s account was 
at risk. Our investigation determined that ail unknown, unauthorized third party gained access to the employee’s account, 
and could have viewed documents that contained your name and Social Security number. The investigation did not identify 
specific activity around your information, but we are sending you this letter to provide you with resources and information 
you can use to protect yourself. 

At this time, there is no indication that your information has been accessed or used by the unauthorized party; however, out 
of an abundance of caution, we have arranged for you to enroll with ID Experts®, an incident response and recovery services 
expert, to provide you with MyIDCare™ services at no cost to you. MyIDCare services include: 

• □12 months Credit Monitoring and CyberScan monitoring; 

• □ $1,000,000 insurance reimbursement policy; 

• □ Exclusive educational materials; and 

• I! Fully managed Identity Theft Recovery Services (with this protection, MyIDCare will help you resolve issues If 

your identity is compromised). 

We encourage you to contact ID Experts with any questions and to enroll in free MyIDCare services by calling 1-800-939- 
4170 or going to https://app.mvidcare.com/account-creatiQn/protect . Please note the deadline to enroll is January 8, 2019. 
Please review the Additional Important Information on the third and fourth pages of this letter to learn about the additional 
steps you can take to protect your information at no cost (for example, by asking a consumer reporting agency to place a 
fraud alert or security freeze on your consumer report information). 

We want to assure you that we remain dedicated to protecting your personal information, and are continuing to take steps 
to prevent a similar event from occurring in the future, including reviewing and revising our policies and resetting 
employees’ access credentials to ensure our systems are secure. 






We sincerely regret any inconvenience that this incident may cause you, and remain dedicated to protecting your personal 
information. Should you have any questions or concerns about this incident, please contact 800-939-4170 Monday through 
Friday from 6 am - 5 pm Pacific Time or visit https://app.myidcare.com/account-creation/protect for more information. 


Sincerely. 



Thad Hymel 

Chief Information Officer 
McGlinchey Stafford, PLLC 



Additional Important Information 


For residents of Hawaii, Michigan, Missouri Virginia, Vermont , and North Carolina: It is recommended by slate law 
that you remain vigilant for incidents of fraud and identity theft by reviewing credit card account statements and 
monitoring your credit report for unauthorized activity, 


For residents of Illinois, Iowa , Maryland , Missouri, North Carolina , Oregon, and West Virginia: 

It is required by state laws to Inform you that you may obtain a copy of your credit report, free of charge, whether 
or not you suspect any unauthorized activity on your account. You may obtain a free copy of your credit report 
from each of the three nationwide credit reporting agencies. To order your free credit report, please visit 
www.annualcreditreport.com , or call toll-free at 1-877-322-8228. You can also order your annual free credit report by 
mailing a completed Annual Credit Report Request Form (available at https://www.consumer.ftc.gov/articles/0155-free- 
credit-reports) to: Annual Credit Report Request Service, P.Q. Box 105281, Atlanta, GA, 30348-5281. _ 

for residents of Iowa: 

State law advises you to report any suspected identity theft to law enforcement or to the Attorney General. _ 

For residents of Oregon: 

State laws advise you to report any suspected identity theft to law enforcement, including the Attorney General, and 
the Federal Trade Commission. _ 

For residents of Maryland , Rhode Island , Illinois , and North Carolina: 

You can obtain information from the Maryland and North Carolina Offices of the Attorneys General and the 
Federal Trade Commission about fraud alerts, security freezes, and steps you can take toward preventing identity 
theft. 


Maryland Office of the 
Attorney General 

Consumer Protection 
Division 

200 St. Paul Place 
Baltimore, MD 21202 
1-888-743-0023 
www.oag.state.md.iis 


Rhode Island Office of the 
Attorney General 

Consumer Protection 
150 South Main Street 
Providence RI 02903 
1-401-274-4400 
www-riag.ri.gov 


North Carolina Office of the 
Attorney General 

Consumer Protection 
Division 

9001 Mail Service Center 
Raleigh, NC 27699-9001 
1-877-566-7226 
www-ncdoj.com 


Federal Trade Commission 

Consumer Response Center 
600 Pennsylvania Ave, NW 
Washington, DC 20580 
1-877-IDTHEFT (438-4338) 
www.ftc.gov/idtheft 


Fur residents of Massachusetts: It is required by state law that you are informed of your right to obtain a police report if you 
are a victim of identity theft 


For residents of all states: 


Fraud Alerts: You can place fraud alerts with the three credit bureaus by phone and 
online with Equifax f https: 7assets.equifax.com/assets/personal/Fraud Alert Request Form.pdf ) or Experian 
( https://www-experian-com/fraud/center.html ). A fraud alert tells creditors to follow certain procedures, including 
contacting you, before they open any new accounts or change your existing accounts. For that reason, placing a fraud alert 
can protect you, but also may delay you when you seek to obtain credit. As of September 21, 2018, initial fraud alerts last 
for one year. Victims of identity theft can also get an extended fraud alert for seven years. The phone numbers for all three 
credit bureaus are at the bottom of this page. 

Monitoring: You should always remain vigilant and monitor your accounts for suspicious or unusual activity. 




Security Freeze: You also have the right to place a security freeze on your credit report. A security freeze is 
intended to prevent credit, loans and services from being approved in your name without your consent. To place a 
security freeze on your credit report, you need to make a request to each consumer reporting agency. You may 
make that request by certified mail, overnight mail, or regular stamped mail, or by following the instructions 
found at the websites listed below. The following information must be included when requesting a security freeze 
(note that if you are requesting a credit report for your spouse or a minor under the age of 16, this information 
must be provided for him/her as well): (1) full name, with middle initial and any suffixes; (2) Social Security 
number; (3) date of birth; (4) current address and any previous addresses for the past five years; and (5) any 
applicable incident report or complaint with a law enforcement agency or the Registry of Motor Vehicles. The 
request must also include a copy of a government-issued identification card and a copy of a recent utility bill or 
bank or insurance statement. It is essential that each copy be legible, display your name and current mailing 
address, and the date of issue. As of September 21, 2018, it is free to place, lift, or remove a freeze. You may 
obtain a free security freeze by contacting any one or more of the three national consumer reporting agencies: 

TransUnion (FVAD) 

P.O. Box 2000 
Chester, PA 19022 
freeze.transLmion.com 
800-680-7289 

More information can also be obtained by contacting the Federal Trade Commission listed above. 


Equifax Security Freeze Experian Security Freeze 

P.O. Box 105788 P.O. Box 9554 

Atlanta, GA 30348 Allen, TX 75013 

www.freeze.equifax.comwww.experian.com/freeze 
800-525-6285 888-397-3742 



Schnitzer, Steven 


From: 

Sent: 

To: 

Subject: 

Attachments: 


breach.security@ag.ny.gov 
Monday, October 8, 2018 12:25 PM 
Breach Security 

NYS Security Breach Notification submission/NYAG Confirmation # SB46575 
ATT00001 .bin; McGlinchey---AG-Notification-letter--NY.pdf 


OFFICE OF THE ACTING ATTORNEY GENERAL BARBARA UNDERWOOD 
STATE OF NEW YORK DEPARTMENT OF LAW 



Bureau of Internet mid Technology 
28 Liberty Street 
New York, NY 10005 

Phone: (212)416-8433 | Fax: (212) 416-8369 


Consumer Hotline 
(8oo)77i-7755 
TDD ( 800 ) 788-9898 
http://www.ag.ny.gov 


Submitted on: 10/08/2018 12:25 PM 
Complaint ID: SB46575 


Entity Information 


Name: 

Street Address: 

City/Town: 

State: 

Zip: 

Organization Type: 
Organization Size: 
URL: 


McGlinchey Stafford, PLLC 
301 Main Street, Suite 1400 
Baton Rouge 
LA 
70801 

Other Commercial 
501 + 


Breach Details 


Description of Breach: 

Type of attack: 

Other Description: 


Unauthorized access (not including 
theft, loss or hacking) 


Information acquired in combination with name or other personal 
identifier: 


Social security number 


Total persons affected (Including NYS residents): 
New York State residents affected: 


1 


468 

6 





Do you believe that this security breach was part of a larger 
breach that likely affected other organizations? 

Comments: 

If the number of NYS residents exceeds 5,000, have the consumer 
reporting agencies been notified? 

Breach Occurred From: 

Breach Occurred To: 

Breach Discovered: 


Yes 

email phishing attack 
No 

07/16/2018 

08/06/2018 

09/07/2018 


Other Information 


Consumer notification date: 

10/08/2018 

Manner of notification to affected 
persons: 

Written 

List dates of any previous (within 12 
months) breach notifications: 


Identity theft protection service 
offered: 

Yes 

Provider: 

ID Experts 

Duration: 

12 months 

Brief description of service: 

Credit Monitoring and CyberScan monitoring; $1,000,000 insurance 
reimbursement; Fully managed Identity Theft Recovery Services. 


Submitted By 

Name: 

Title: 

Firm name: 

Telephone: 

Email: 

Relationship to entity whose information was 
compromised: 

Additional comments: 


Gregory' Bautista 
Partner 

Wilson Elser Moskowitz Edelman & Dicker 
LLP 

914-872-7839 

gregory.bautista@wilsonelser.com 

Attorney 


2 



